8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

Analysis

max time kernel
112s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14221affd51c45f23b2390e6708bda89.exe
Size

1.3MB
MD5

14221affd51c45f23b2390e6708bda89
SHA1

145c1c56b374c283194e332572d2722c15cb23f9
SHA256

8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466
SHA512

da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc
SSDEEP

24576:JdcgTewpeuCLZQ5wrS7j5G1bDD6egAmkIC:JdcgT1pehZQYYKTX5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

OWT.exe

pid process

1872 OWT.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

1700 cmd.exe
1120 WerFault.exe
1120 WerFault.exe
1120 WerFault.exe
1120 WerFault.exe
1120 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1120 1872 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1464 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

592 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

14221affd51c45f23b2390e6708bda89.exepowershell.exeOWT.exepowershell.exe

pid process

1916 14221affd51c45f23b2390e6708bda89.exe
1456 powershell.exe
1872 OWT.exe
1320 powershell.exe

pid	process
1872	OWT.exe

pid	process
1700	cmd.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe
1120	WerFault.exe

pid	pid_target	process	target process
1120	1872	WerFault.exe	OWT.exe

pid	process
1464	schtasks.exe

pid	process
592	timeout.exe

pid	process
1916	14221affd51c45f23b2390e6708bda89.exe
1456	powershell.exe
1872	OWT.exe
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

14221affd51c45f23b2390e6708bda89.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1916	14221affd51c45f23b2390e6708bda89.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1872	OWT.exe
Token: SeDebugPrivilege	1320	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

14221affd51c45f23b2390e6708bda89.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 1916 wrote to memory of 1456	1916	14221affd51c45f23b2390e6708bda89.exe	powershell.exe
PID 1916 wrote to memory of 1456	1916	14221affd51c45f23b2390e6708bda89.exe	powershell.exe
PID 1916 wrote to memory of 1456	1916	14221affd51c45f23b2390e6708bda89.exe	powershell.exe
PID 1916 wrote to memory of 1700	1916	14221affd51c45f23b2390e6708bda89.exe	cmd.exe
PID 1916 wrote to memory of 1700	1916	14221affd51c45f23b2390e6708bda89.exe	cmd.exe
PID 1916 wrote to memory of 1700	1916	14221affd51c45f23b2390e6708bda89.exe	cmd.exe
PID 1700 wrote to memory of 592	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 592	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 592	1700	cmd.exe	timeout.exe
PID 1700 wrote to memory of 1872	1700	cmd.exe	OWT.exe
PID 1700 wrote to memory of 1872	1700	cmd.exe	OWT.exe
PID 1700 wrote to memory of 1872	1700	cmd.exe	OWT.exe
PID 1872 wrote to memory of 1320	1872	OWT.exe	powershell.exe
PID 1872 wrote to memory of 1320	1872	OWT.exe	powershell.exe
PID 1872 wrote to memory of 1320	1872	OWT.exe	powershell.exe
PID 1872 wrote to memory of 1516	1872	OWT.exe	cmd.exe
PID 1872 wrote to memory of 1516	1872	OWT.exe	cmd.exe
PID 1872 wrote to memory of 1516	1872	OWT.exe	cmd.exe
PID 1516 wrote to memory of 1464	1516	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 1464	1516	cmd.exe	schtasks.exe
PID 1516 wrote to memory of 1464	1516	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 1120	1872	OWT.exe	WerFault.exe
PID 1872 wrote to memory of 1120	1872	OWT.exe	WerFault.exe
PID 1872 wrote to memory of 1120	1872	OWT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\14221affd51c45f23b2390e6708bda89.exe
"C:\Users\Admin\AppData\Local\Temp\14221affd51c45f23b2390e6708bda89.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp957D.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:592

C:\ProgramData\winrar\OWT.exe
"C:\ProgramData\winrar\OWT.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
5⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1872 -s 1184
4⤵
- Loads dropped DLL
- Program crash
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp957D.tmp.bat

Filesize
138B

MD5
0f6d0022b3ef320d19735d93c2243698

SHA1
bec163f9a0473b8e50a25ad877542d98719a77ac

SHA256
de7b49e6847b73fb8eef522338a17435f25bdb01f854880d9227722b0221b7b0

SHA512
0f60e73543221acd1d2790bb261fd6fc2834d602fe5351ee5a661787d8cc0e708bb2d88a65088afe52470c8d13ba6fae338bb10f5430f75bb4322e7f157f3dac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4941e89cf998f18bc2445c826fd8a4b5

SHA1
fc740027a7726d05e6b6f4025fc758f57640e90f

SHA256
b1b1b90fdc67ed94d04d262e3e703def50b2d18b7fe2806c470e6c7954550279

SHA512
18ffbf5756202cdcc321d4fccd9e5ee22d4cbc906a2d457dde47a7855edb4d6a2ebaaebf399c2e05ae262d9266780d8c3d234a804e9e69e1c31821ea84f5be82

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
\ProgramData\winrar\OWT.exe

Filesize
1.3MB

MD5
14221affd51c45f23b2390e6708bda89

SHA1
145c1c56b374c283194e332572d2722c15cb23f9

SHA256
8ac5061d3b24f6c8d7a60a8199fc4d631bafc71b2b5b3fadaf3ce78c776df466

SHA512
da7418050d24d4a6a43464f437341c43b427b2b59fc44992d42a9cb2a3f56717029600c2bf850393b5691423a12fcb83fbd012f77f7dfb124cd3e6e2082e5abc

Download Submit
memory/592-82-0x0000000000000000-mapping.dmp

Download
memory/1120-126-0x0000000000000000-mapping.dmp

Download
memory/1320-122-0x000000000232B000-0x000000000234A000-memory.dmp

Filesize
124KB

Download
memory/1320-121-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1320-120-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1320-119-0x000007FEEA490000-0x000007FEEAFED000-memory.dmp

Filesize
11.4MB

Download
memory/1320-118-0x000007FEEAFF0000-0x000007FEEBA13000-memory.dmp

Filesize
10.1MB

Download
memory/1320-111-0x0000000000000000-mapping.dmp

Download
memory/1456-73-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp

Filesize
8KB

Download
memory/1456-83-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1456-86-0x000000000292B000-0x000000000294A000-memory.dmp

Filesize
124KB

Download
memory/1456-85-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1456-76-0x000007FEEBF40000-0x000007FEEC963000-memory.dmp

Filesize
10.1MB

Download
memory/1456-84-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1456-72-0x0000000000000000-mapping.dmp

Download
memory/1456-80-0x000007FEF5760000-0x000007FEF62BD000-memory.dmp

Filesize
11.4MB

Download
memory/1464-117-0x0000000000000000-mapping.dmp

Download
memory/1516-115-0x0000000000000000-mapping.dmp

Download
memory/1700-89-0x0000000001EA0000-0x000000000205C000-memory.dmp

Filesize
1.7MB

Download
memory/1700-77-0x0000000000000000-mapping.dmp

Download
memory/1872-107-0x00000000001B0000-0x000000000036C000-memory.dmp

Filesize
1.7MB

Download
memory/1872-97-0x000007FEFF090000-0x000007FEFF12F000-memory.dmp

Filesize
636KB

Download
memory/1872-125-0x000007FEF6780000-0x000007FEF68B8000-memory.dmp

Filesize
1.2MB

Download
memory/1872-124-0x000007FEFEF00000-0x000007FEFEF1F000-memory.dmp

Filesize
124KB

Download
memory/1872-88-0x0000000000000000-mapping.dmp

Download
memory/1872-123-0x000007FEFE7A0000-0x000007FEFE877000-memory.dmp

Filesize
860KB

Download
memory/1872-116-0x000007FEFB580000-0x000007FEFB795000-memory.dmp

Filesize
2.1MB

Download
memory/1872-93-0x000007FEFAD60000-0x000007FEFADCF000-memory.dmp

Filesize
444KB

Download
memory/1872-94-0x000007FEFACC0000-0x000007FEFAD5C000-memory.dmp

Filesize
624KB

Download
memory/1872-95-0x000007FEFD810000-0x000007FEFD877000-memory.dmp

Filesize
412KB

Download
memory/1872-105-0x000007FEFD370000-0x000007FEFD573000-memory.dmp

Filesize
2.0MB

Download
memory/1872-109-0x00000000001B0000-0x000000000036C000-memory.dmp

Filesize
1.7MB

Download
memory/1872-108-0x000007FEF64B0000-0x000007FEF65DC000-memory.dmp

Filesize
1.2MB

Download
memory/1872-98-0x0000000076F10000-0x000000007702F000-memory.dmp

Filesize
1.1MB

Download
memory/1872-100-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/1872-101-0x000007FEFABC0000-0x000007FEFACB7000-memory.dmp

Filesize
988KB

Download
memory/1872-102-0x000007FEFEDD0000-0x000007FEFEEAB000-memory.dmp

Filesize
876KB

Download
memory/1872-103-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-104-0x000007FEFD580000-0x000007FEFD6AD000-memory.dmp

Filesize
1.2MB

Download
memory/1872-106-0x00000000001B0000-0x000000000036C000-memory.dmp

Filesize
1.7MB

Download
memory/1872-96-0x0000000077030000-0x000000007712A000-memory.dmp

Filesize
1000KB

Download
memory/1872-110-0x00000000000E0000-0x0000000000121000-memory.dmp

Filesize
260KB

Download
memory/1872-99-0x000007FEFCF90000-0x000007FEFCFFC000-memory.dmp

Filesize
432KB

Download
memory/1916-74-0x0000000000370000-0x000000000052C000-memory.dmp

Filesize
1.7MB

Download
memory/1916-78-0x000007FEFEF00000-0x000007FEFEF1F000-memory.dmp

Filesize
124KB

Download
memory/1916-68-0x000007FEFD580000-0x000007FEFD6AD000-memory.dmp

Filesize
1.2MB

Download
memory/1916-67-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/1916-79-0x0000000000370000-0x000000000052C000-memory.dmp

Filesize
1.7MB

Download
memory/1916-75-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1916-69-0x000007FEFD370000-0x000007FEFD573000-memory.dmp

Filesize
2.0MB

Download
memory/1916-66-0x000007FEFEDD0000-0x000007FEFEEAB000-memory.dmp

Filesize
876KB

Download
memory/1916-64-0x000007FEFAC30000-0x000007FEFAD27000-memory.dmp

Filesize
988KB

Download
memory/1916-65-0x0000000000320000-0x0000000000361000-memory.dmp

Filesize
260KB

Download
memory/1916-63-0x0000000000370000-0x000000000052C000-memory.dmp

Filesize
1.7MB

Download
memory/1916-62-0x000007FEFF010000-0x000007FEFF081000-memory.dmp

Filesize
452KB

Download
memory/1916-70-0x0000000000370000-0x000000000052C000-memory.dmp

Filesize
1.7MB

Download
memory/1916-55-0x000007FEFAEC0000-0x000007FEFAF2F000-memory.dmp

Filesize
444KB

Download
memory/1916-71-0x000007FEF6790000-0x000007FEF68BC000-memory.dmp

Filesize
1.2MB

Download
memory/1916-61-0x000007FEFCF90000-0x000007FEFCFFC000-memory.dmp

Filesize
432KB

Download
memory/1916-60-0x0000000076F10000-0x000000007702F000-memory.dmp

Filesize
1.1MB

Download
memory/1916-59-0x000007FEFF090000-0x000007FEFF12F000-memory.dmp

Filesize
636KB

Download
memory/1916-58-0x0000000077030000-0x000000007712A000-memory.dmp

Filesize
1000KB

Download
memory/1916-57-0x000007FEFD810000-0x000007FEFD877000-memory.dmp

Filesize
412KB

Download
memory/1916-56-0x000007FEFAD30000-0x000007FEFADCC000-memory.dmp

Filesize
624KB

Download